mirror of
https://github.com/openssl/openssl.git
synced 2024-12-27 06:21:43 +08:00
43a0f2733a
Ensure that the certificate required alert actually gets sent (and doesn't get translated into handshake failure in TLSv1.3). Ensure that proper reason codes are given for the new TLSv1.3 alerts. Remove an out of date macro for TLS13_AD_END_OF_EARLY_DATA. This is a left over from an earlier TLSv1.3 draft that is no longer used. Fixes #6804 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6809)
197 lines
7.8 KiB
Perl
197 lines
7.8 KiB
Perl
# -*- mode: perl; -*-
|
|
|
|
## SSL test configurations
|
|
|
|
package ssltests;
|
|
|
|
use strict;
|
|
use warnings;
|
|
|
|
use OpenSSL::Test;
|
|
use OpenSSL::Test::Utils qw(anydisabled disabled);
|
|
setup("no_test_here");
|
|
|
|
# We test version-flexible negotiation (undef) and each protocol version.
|
|
my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
|
|
|
|
my @is_disabled = (0);
|
|
push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
|
|
|
|
our @tests = ();
|
|
|
|
sub generate_tests() {
|
|
foreach (0..$#protocols) {
|
|
my $protocol = $protocols[$_];
|
|
my $protocol_name = $protocol || "flex";
|
|
my $caalert;
|
|
my $method;
|
|
my $sctpenabled = 0;
|
|
if (!$is_disabled[$_]) {
|
|
if ($protocol_name eq "SSLv3") {
|
|
$caalert = "BadCertificate";
|
|
} else {
|
|
$caalert = "UnknownCA";
|
|
}
|
|
if ($protocol_name =~ m/^DTLS/) {
|
|
$method = "DTLS";
|
|
$sctpenabled = 1 if !disabled("sctp");
|
|
}
|
|
my $clihash;
|
|
my $clisigtype;
|
|
my $clisigalgs;
|
|
# TODO(TLS1.3) add TLSv1.3 versions
|
|
if ($protocol_name eq "TLSv1.2") {
|
|
$clihash = "SHA256";
|
|
$clisigtype = "RSA";
|
|
$clisigalgs = "SHA256+RSA";
|
|
}
|
|
for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
|
|
# Sanity-check simple handshake.
|
|
push @tests, {
|
|
name => "server-auth-${protocol_name}"
|
|
.($sctp ? "-sctp" : ""),
|
|
server => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol
|
|
},
|
|
client => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol
|
|
},
|
|
test => {
|
|
"ExpectedResult" => "Success",
|
|
"Method" => $method,
|
|
},
|
|
};
|
|
$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
|
|
|
|
# Handshake with client cert requested but not required or received.
|
|
push @tests, {
|
|
name => "client-auth-${protocol_name}-request"
|
|
.($sctp ? "-sctp" : ""),
|
|
server => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol,
|
|
"VerifyMode" => "Request"
|
|
},
|
|
client => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol
|
|
},
|
|
test => {
|
|
"ExpectedResult" => "Success",
|
|
"Method" => $method,
|
|
},
|
|
};
|
|
$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
|
|
|
|
# Handshake with client cert required but not present.
|
|
push @tests, {
|
|
name => "client-auth-${protocol_name}-require-fail"
|
|
.($sctp ? "-sctp" : ""),
|
|
server => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol,
|
|
"VerifyCAFile" => test_pem("root-cert.pem"),
|
|
"VerifyMode" => "Require",
|
|
},
|
|
client => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol
|
|
},
|
|
test => {
|
|
"ExpectedResult" => "ServerFail",
|
|
"ExpectedServerAlert" =>
|
|
($protocol_name eq "flex" && !disabled("tls1_3"))
|
|
? "CertificateRequired" : "HandshakeFailure",
|
|
"Method" => $method,
|
|
},
|
|
};
|
|
$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
|
|
|
|
# Successful handshake with client authentication.
|
|
push @tests, {
|
|
name => "client-auth-${protocol_name}-require"
|
|
.($sctp ? "-sctp" : ""),
|
|
server => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol,
|
|
"ClientSignatureAlgorithms" => $clisigalgs,
|
|
"VerifyCAFile" => test_pem("root-cert.pem"),
|
|
"VerifyMode" => "Request",
|
|
},
|
|
client => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol,
|
|
"Certificate" => test_pem("ee-client-chain.pem"),
|
|
"PrivateKey" => test_pem("ee-key.pem"),
|
|
},
|
|
test => {
|
|
"ExpectedResult" => "Success",
|
|
"ExpectedClientCertType" => "RSA",
|
|
"ExpectedClientSignType" => $clisigtype,
|
|
"ExpectedClientSignHash" => $clihash,
|
|
"ExpectedClientCANames" => "empty",
|
|
"Method" => $method,
|
|
},
|
|
};
|
|
$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
|
|
|
|
# Successful handshake with client authentication non-empty names
|
|
push @tests, {
|
|
name => "client-auth-${protocol_name}-require-non-empty-names"
|
|
.($sctp ? "-sctp" : ""),
|
|
server => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol,
|
|
"ClientSignatureAlgorithms" => $clisigalgs,
|
|
"ClientCAFile" => test_pem("root-cert.pem"),
|
|
"VerifyCAFile" => test_pem("root-cert.pem"),
|
|
"VerifyMode" => "Request",
|
|
},
|
|
client => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol,
|
|
"Certificate" => test_pem("ee-client-chain.pem"),
|
|
"PrivateKey" => test_pem("ee-key.pem"),
|
|
},
|
|
test => {
|
|
"ExpectedResult" => "Success",
|
|
"ExpectedClientCertType" => "RSA",
|
|
"ExpectedClientSignType" => $clisigtype,
|
|
"ExpectedClientSignHash" => $clihash,
|
|
"ExpectedClientCANames" => test_pem("root-cert.pem"),
|
|
"Method" => $method,
|
|
},
|
|
};
|
|
$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
|
|
|
|
# Handshake with client authentication but without the root certificate.
|
|
push @tests, {
|
|
name => "client-auth-${protocol_name}-noroot"
|
|
.($sctp ? "-sctp" : ""),
|
|
server => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol,
|
|
"VerifyMode" => "Require",
|
|
},
|
|
client => {
|
|
"MinProtocol" => $protocol,
|
|
"MaxProtocol" => $protocol,
|
|
"Certificate" => test_pem("ee-client-chain.pem"),
|
|
"PrivateKey" => test_pem("ee-key.pem"),
|
|
},
|
|
test => {
|
|
"ExpectedResult" => "ServerFail",
|
|
"ExpectedServerAlert" => $caalert,
|
|
"Method" => $method,
|
|
},
|
|
};
|
|
$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
generate_tests();
|